pqRPKI: A Practical RPKI Architecture for the Post-Quantum Era

The Resource Public Key Infrastructure (RPKI) secures Internet routing by binding IP prefixes to authorized Autonomous Systems, yet its RSA foundations are vulnerable to quantum adversaries. A naive swap to post-quantum (PQ) signatures (eg Falcon) is a poor fit for RPKI's bulk model: every relying party (RP) repeatedly fetches and validates the entire global repository, so larger keys and signatures inflate bandwidth and CPU cost, especially during a long dual-stack transition. We present pqRPKI , a post-quantum RPKI framework that pairs a multi-layer Merkle Tree Ladder (MTL) with RPKI objects, customized to relocate per-object verification material from certificates into the Manifest. To update RPKI for Merkle tree based schemes, pqRPKI redesign the RPKI manifest and delegation chain, introduces a ladder-guided sync and bulk-verification workflow that lets validators localize diffs top-down and rebuild trees bottom-up. pqRPKI also preserves current RPKI objects and encodings, supports both hosted and delegated operation, and provides an additive migration path that coexists with today's trust anchors for dual-stack deployment with little size overhead. Implemented as a working publication point (PP) and RPs, we show that pqRPKI reduces repository footprint to 546.8 MB on average (65.5%/83.1% smaller than Falcon/ML-DSA), cuts full-cycle validation to 102.7 s, and achieves 118.3 s end-to-end PP to Router time, enabling sub-2-minute operating cadences with full-repository validation each cycle. Dual-stack deployment with RSA only adds just 3.4% size overhead versus today's RPKI repositories.

Krill 0.16.0 ‘Früher war mehr Lametta’ released

We have just published the first release candidate for the upcoming version 0.16.0 of Krill. This candidate reverts back to downloading the RISwhois data and processing it locally for analysing ROAs rather than using an external API. The Krill daemon will now also listen on a Unix socket which allows it to use the name of the local user for authentication, making it unnecessary to specify the authentication token when using krillc locally. In addition, there are quite a few fixes and improvem...

Using RPKI on MikroTik RouterOS 7 (7.21) | tabs ↹ over ␣ ␣ ␣ spaces by Jiří {x2} Činčura